wireless network disconnects when using IEEE 802.1x authentication

[Guest]

Hello,
I have a Blitzz 108 mb Super G Firewall Router and wireless adapter I
recently purchased.
I had everything up and running but anytime I use the IEEE 802.1x
authentication function for Windows XP Service Pack 2, my wireless network
disconnects from the internet. When I go and uncheck "Enable IEEE 802.1x
authentication for this network" I get my connection back. I have gotten so
frustrated, I have hooked my computer back up to my ethernet card.
I have looked at my certificates that I have on my desktop and most if not
all are still valid and have not expired.
Any suggestions of how I can get this to work?? I have my WEP set at
Hex/128 bit encryption.
Thank you for your time in this matter.

 

[Steve Riley [MSFT]]

802.1x usually requires a sophisticated infrastructure involving a RADIUS
server, a certificate server, and computer and user certificates. I don't
know what a Blitzz firewall router is; does that device provide all this for
you?

Steve Riley
(e-mail address removed)

 

[Guest]

Steve,
Thanks for the speedy reply. According to the owners manual, Blitzz AP
Firewall Router gateway supports four different types of security modes. WEP,
WPA(Pre-Shared Key), WPA RADIUS and 802.1x RADIUS.
But, I have no idea of what the IP address for the RADIUS server would be.
So if I am unable to use 802.1x authentication on my computer, would my
security be compromised even though I will be using WEP 128 bit encryption??
Would my sensitve information be seen when I connect to my bank's website
when I am conducting online banking business without the authentication on??
If worse comes to worse, I could always turn on authentication when doing
sensitive business and turn it off when finished.
If you need anymore information, please let me know.
Thank you again for your time in this matter.

 

[Steve Riley [MSFT]]

Before I discuss wireless encryption differences, let me address the bank
web site example. Your bank's web site (and usually just about any
well-designed web site that requires entering IDs and passwords) will create
an SSL session between the web server and your browser. This encrypted
session keeps your information confidential on the Internet. As an
interesting side effect, it also keeps that some information confidential
over the air, since it gets encrypted before it leaves the wireless NIC in
your computer.

But this isn't good enough: what about all the rest of your communications?
Or what about someone hijacking your wireless network? You still need to
"secure the air," so to speak, so you've got to do something. Choosing what
to do can be daunting.

Now, generally, for wireless security, the more computers you have, the
stronger of a security system you want. For a home network or small office
network of say 20 computers or less, plain old 128-bit WEP is good enough.
Change the encryption key in your access point and in all your computers
once a month -- I like to recommend on the first Monday of each month as an
easy-to-establish habit that you can put in your calendar as a reminder. To
brute-force the key an attacker will need far more data than what a small
network will generate in that time frame.

If your hardware can perform WPA PSK (pre-shared key), use that and you can
get completley out of the key-management business. WPA uses a key-management
mechanism called TKIP (temporal key integrity protocol). You program a
pre-shared *authentication* key into the AP and each client; WPA generates
new *encryption* keys for every frame (packet) of data that passes between
each client the AP. That's a lot of encryption; it's best to use the AES
encryption algorithm (rather than WEP's RC-4) since AES is so much faster.
Change that authentication key say every six months.

If you've got multiple access points, or more than about 20 clients, then
you'll want to use a RADIUS server to handle keys and policies instead of
individually setting keys in clients. You will need to implement your own
RADIUS server to do that, and it works best if you've got an Active
Directory domain. Older wireless hardware can use only 802.1x. 802.1x is a
network port authentiction protocol that uses EAP (extensible authentication
protocol) to process the authentication and RADIUS for carrying the
authentication conversation. In your RADIUS policy you'll indicate a key
lifetime -- 60 minutes is good for 802.11b, 15 minutes for 802.11a/g. Each
client that associates to the access point will receive its own WEP key and
EAP changes this key according to the interval set in the RADIUS policy.

Newer wireless hardware can use WPA, and again if you've got a network of
more than one AP or more than 20 clients WPA with RADIUS is the best way to
go. WPA still relies on RADIUS and 802.1x/EAP for the initial
authentication, but replaces EAP's key handling mechanism with its own TKIP
implementation, again changing those keys every frame.


I know this is a lot of information, but choosing a wireless security suite
isn't a trivial decision. This should help summarize:

hardware manu- encyrption RADIUS
network size facture date protocol needed?
-------------------------------------------------------------------

1 AP or >20 clients after 8/2003 WPA yes
1 AP or >20 clients before 8/2003 802.1x + EAP yes

1 AP and <20 clients after 8/2000 WPA + PSK no
1 AP and <20 clients before 8/2003 WEP 128-bit no

Note: for hardware made before 8/2003 you might be able to apply a firmware
upgrade to add WPA support. Check with the manufacturer.


Steve Riley
(e-mail address removed)

 

[Guest]

Steve,
Thank you again for your detailed information. I will print this out and
configure for my 1 AP and my 1 computer. I hope this will keep my computer
from disconnecting every 5 minutes.
Thank you again for your time in this matter.

 

[Steve Riley [MSFT]]

With one AP and one computer, you're fine with the 128-bit WEP key and
monthy key rotation. That's what I do at home.

Glad to have helped out.

Steve Riley
(e-mail address removed)